Last month, IBM announced the results of their annual Cost of a Data Breach Report, which found that data breaches now cost companies $4.24 million per incident on average – the highest cost in the 17-year history of the report. The study suggests that security incidents have become more costly and harder to contain due to drastic operational shifts during the pandemic, with costs rising 10% compared to the prior year. The report also found that while certain IT shifts during the pandemic increased data breach costs, organizations who said they did not implement any digital transformation projects in order to modernize their business operations during the pandemic actually incurred higher data breach costs.
The threat of data breaches is not going away anytime soon, and frankly, over the last few years and especially since the pandemic, we have observed rapidly evolving, diverse tactics of threat actors operating in a dynamic digital ecosystem. This increases risks that can lead to reputational, financial, and legal damages. Cybercriminals and threat actors do not discriminate and are always adapting their tactics. We’ve witnessed Fortune 500 companies and government institutions suffer from data breaches, but also countlessmedium-sized organizations and small, family-owned businesses as well.
The last 365 days have undoubtedly proven profitable for the breach economy. We’ve watched sectors that deliver critical infrastructure come to a screeching halt with the Colonial Pipeline cyberattack and some of America’s most powerful government agencies compromised in the SolarWinds hack. These are just examples, and several more can be cited from sectors ranging from financial services to healthcare and beyond.
As a result of organic modernization, along with COVID-19 forcing a faster adoption of technology, the world increasingly relies on more digital solutions than ever and has made a now definitive shift toward hybrid and remote work models. For both cost and operational efficiencies, individuals, brands, and public institutions have pivoted toward a greater reliance on digital services, providing cybercriminals with a plethora of opportunities to exfiltrate and exploit data. The era of modernization, social media, and the ubiquity of digital solutions has resulted in personally identifiable information (PII) being spread far and wide and into the hands of malicious actors. The weaponization of information and data, from targeted threats to steal data or funds to malign influence and reputational attacks, expands the possibilities at attackers’ disposal. As such, organizations should be astute in understanding the landscape of threats in the digital ecosystem and effectively preparing to defend against them.
Marketing Technology News: Vericast Survey: How Deals Play a Role in Return to Pre-Pandemic Activities
Constella Intelligence’s 2021 Breach Report
Digital risk protection and cybersecurity firm, Constella Intelligence, is home to the most extensive breach data collection on the planet, with more than 45 billion archived identity records. We recently published our 2021 Identity Breach Report, titled PII Fuelling the Threat Economy: How Crisis Creates Targeted Vulnerabilities for Individuals, Executives, and Brands. The report evaluates data collected from Constella’s extensive database of archived identity records from data breaches and leakages found on the surface, deep, and dark web, in addition to trends identified in deep and dark marketplaces over the past year. Our threat intelligence team detected over 8,000 breaches consisting of over 12B records in 2020, and our findings represent far more data breaches and leakages than just those reported in the media.
Our report found new vulnerabilities exploited by threat actors during the pandemic, including COVID-19 items like vaccines, vaccine certificates, and COVID-19 tests for sale on the dark market. We identified an exorbitant increase in the prices of sensitive personal records transacted in dark marketplaces, among them credit cards $80.64 (+90.64%), passports +684.29 (+1,185.05%), ID Cards $213.49 (+642.57%), and driver’s licenses $205.71 (+328.56%), possibly due to increased demand for false identification records during the pandemic. These trends are reinforcing what seems to now be the fundamental rule of cyberspace—personally identifiable information is the fuel that keeps the engine of the breach economy going. Astoundingly, nearly 60% of the data breaches our team analyzed exposed some form of PII, and 72% of these breaches included passwords. PII is everywhere, and threat actors want and need it.
The interconnectedness of the threats identified in our 2021 Breach Report is worth paying attention to, as threat actors are targeting individuals to obtain access to corporate networks not only puts employees at risk, but also has serious implications for the reputation of brands and executives, which in turn can have consequences for business continuity. Data breaches are multifaceted in the damage they stand to inflict, as they can undermine the public’s trust in the exploited company while exacting costly financial and legal repercussions as well. Strikingly, our research suggests that the use of corporate credentials by executives and employees in key sectors is not improving. Fortune 500 companies in Energy and Telecommunications have had their corporate domains exposed in approximately 11k breaches/leakages since 2016, and over 40% of these exposures occurred since 2020, indicating worsening security of corporate credentials. Over 40% of executives from a sample of Fortune 500 companies in the Energy and Telecommunications sectors were exposed in a breach over the last 5 years. What is worse, out of a sample of 55 Fortune 500 Energy executives, nearly 1/4 have had their passwords exposed.
As the digital ecosystem becomes more intertwined, it’s become clear that we are all potential vectors of attack—both for our own assets and the networks that we belong to or have access to. The increasing relevance of social media attributes is evidence of this. In several cases, this type of publicly available data has been used to create fake accounts with real information, creating networks of imitation profiles for the deployment of coordinated disinformation campaigns that can have pernicious effects on brand reputation. For hackers, social media attributes can prove useful to obtain personal information about their targets, such as locations, workplaces, hobbies, family members, or friends. By obtaining a victim’s personal information, threat actors can launch more effective and sophisticated impersonation attacks in efforts to get sensitive information. These attacks could be targeted towards several possible entities, including company of employment, bank accounts, other financial information, and much more.
Marketing Technology News: MarTech Interview With George Donovan, Chief Revenue Officer at Allego
What Companies Can Do
As IBM’s aforementioned report noted organizations that did not modernize their business operations during the pandemic incurred higher data breach costs. Similarly, in order to mitigate data breaches, organizations must increase investment in cybersecurity. But this is not merely an investment in technological improvements regarding cybersecurity. Equally important is an organization’s investment in its culture around cybersecurity and cyber hygiene. The human factor is often the key to attacker infiltration (phishing, weak passwords, exposed credentials, social engineering, etc.), so there must be an investment in cyber training to provide employees with a better understanding of how to protect valuable data.
Accompanied by cybersecurity technology and training should be more robust security policies. Multi-factor authentication policies, separating backup storage from critical systems, implementing strong encryption algorithms, and protecting attack surfaces through anticipatory threat intelligence allow organizations to better prevent against breaches. It is the responsibility of executives and leaders to recognize that they themselves, their employees, and their organizations are becoming high-value targets for cyberattacks, and decisive actions must be taken to prevent data loss and reputational or financial harm.
Marketing Technology News: The Biggest Senders Have Their Eyes On A Modern Data Warehouse